Candidates, Organizations Can Find Common Ground to Strengthen Cyber Workforce

Posted on by Jonathan Brandt

Cybersecurity job candidates and the organizations looking to land them both have a big part to play in smoothing some of the pervasive challenges on the cybersecurity hiring front.

At an RSA Conference panel titled “Upskilling, Credentials and Soft Skills: Closing the Cyber Workforce Gap” on May 17, Gregory J. Touhill, CISM, CISSP, Brigadier General, USAF (retd), Director at the CERT Division at the Software Engineering Institute, Carnegie Mellon University, and Caitlin McGaw, CEO and Chief Recruiting Officer, Candor McGaw, Inc, will share insights into how organizations can drive their goals of obtaining hard-to-find soft skills, as well as technical skills, for their teams. 

While cybersecurity jobs are still in high demand despite the pandemic, major challenges remain when it comes to filling the pipeline for in-demand cybersecurity roles. According to ISACA’s recently released State of Cybersecurity 2021 report, around 3,600 cybersecurity leaders report consistent challenges finding qualified, well-rounded candidates—and understaffed teams remain strongly correlated to an increasing number of cyberattacks.

Though the cybersecurity workforce was mainly spared the pandemic devastation experienced in many other sectors, the survey found that longstanding issues persist, including:

  • 61 percent of respondents indicate that their cybersecurity teams are understaffed
  • 55 percent say they have unfilled cybersecurity positions
  • 50 percent say their cybersecurity applicants are well qualified
  • Only 31 percent say HR regularly understands their cybersecurity hiring needs

McGaw thinks there is plenty of room for improvement among candidates and organizations alike to more efficiently identify matches for open job searches.


“It’s on the candidate to demonstrate their skills and to bring those stories about their good attributes forward, but it’s also on hiring leaders,” McGaw said. “I’ve seen many hiring managers who just simply aren’t good interviewers. They may be more comfortable interviewing candidates around technical skills but aren’t always thoughtful about questions they could ask and the listening they could do around the soft skills and traits candidates might bring forward if they were asked other questions.”


Technical cybersecurity positions remain difficult to fill, with 47% of respondents reporting that all or most of their unfilled positions are at that level. The biggest increase in demand—a five-percentage point increase—is for cybersecurity managers. Touhill said it takes a multifaceted skill set to thrive in that role.

“Something I learned in the military is leaders lead people. Managers manage stuff,” said Touhill, also an ISACA board director. “In the cyber business, you’ve got to be both a leader and a manager.


Even candidates who have those critical technical cybersecurity skills may not be good fits without additional “soft skills” such as being strong communicators and having the ability to understand how security enables the business. It can be worthwhile to highlight the need for those types of soft skills when companies are recruiting for open positions.


“I’m seeing more job descriptions including bullets about soft skill attributes companies are looking for, but something that continues to be problematic is the search for the purple squirrel, the aspirational job description,” McGaw said. “This tends to rule out too many people. For example, if women don’t see a strong correlation between their skills and those listed on the job description, they’ll often be discouraged from applying.”


Addressing the underrepresentation of women in the cybersecurity workforce remains an ongoing priority throughout the industry. Successfully turning the corner on that front is among the keys to bolstering the pipeline of cybersecurity professionals over the long haul.


“I’m looking for people who can provide me diversity, equity and inclusion in my workforce,” Touhill said. “For those that feel underqualified for certain positions, if you’ve got the hard skills, and you can contribute as part of the team, I still want to hear from you. Don’t be deterred just because you may not have 100% of all the skills I’m looking for. Let the hiring authority be the decider on that.”


For a complimentary copy of State of Cybersecurity 2021 Part 1, insights from industry leaders and related resources, visit

Jonathan Brandt

Information Security Professional Practices Lead, ISACA

Professional Development & Personnel Management

professional development & workforce

Blogs posted to the website are intended for educational purposes only and do not replace independent professional judgment.  Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA® Conference, RSA Security LLC or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.

Share With Your Community